FirstBlood-#17 — Stored XSS on
This report has been reviewed and accepted as a valid vulnerability on FirstBlood!
On 2021-05-09, smhtahsin33 reported:
I Found a Stored XSS in /drpanel/drapi/query.php?aptid=56914507
It triggers in Administrator Account.
Steps To Reproduce:**
- Visit http://firstbloodhackers.com:49202/book-appointment.html
- On the First Name Enter
- Then Fillup everything and Send
- When the admin will visit the Appointment via
- It will popup there
Note: confirm has backticks ` in place of parenthases, the markdown is executing it as a bold text on 1
This report has been publicly disclosed for everyone to view
FirstBlood ID: 10
Vulnerability Type: Stored XSS
When creating an appointment, it is possible to get stored XSS /drapi/query.php via the patients name
Creator & Administrator
Nice find smhtahsin33! :)
Respect Earnt: 1000000
is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.